upstream/oracle/userland-gate: comparison components/openssl/openssl-1.0.0/engines/pkcs11/hw

equal deleted inserted replaced

-:646785c43987
+:39cfb488e7d8
 #ifdef	SOLARIS_HW_SLOT_SELECTION
 #include <sys/auxv.h>
 #endif
+#ifdef DEBUG_SLOT_SELECTION
+#define	DEBUG_SLOT_SEL(...) fprintf(stderr, __VA_ARGS__)
+#else
+#define	DEBUG_SLOT_SEL(...)
+#endif
 /*
 * AES counter mode is not supported in the OpenSSL EVP API yet and neither
 * there are official OIDs for mechanisms based on this mode. With our changes,
 * an application can define its own EVP calls for AES counter mode and then
 * it can make use of hardware acceleration through this engine. However, it's
 * Create all secret key objects in a global session so that they are available
 * to use for other sessions. These other sessions may be opened or closed
 * without losing the secret key objects.
 */
 static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
+/* Index for the supported ciphers */
+enum pk11_cipher_id {
+	PK11_DES_CBC,
+	PK11_DES3_CBC,
+	PK11_DES_ECB,
+	PK11_DES3_ECB,
+	PK11_RC4,
+	PK11_AES_128_CBC,
+	PK11_AES_192_CBC,
+	PK11_AES_256_CBC,
+	PK11_AES_128_ECB,
+	PK11_AES_192_ECB,
+	PK11_AES_256_ECB,
+	PK11_BLOWFISH_CBC,
+#ifdef	SOLARIS_AES_CTR
+	PK11_AES_128_CTR,
+	PK11_AES_192_CTR,
+	PK11_AES_256_CTR,
+#endif	/* SOLARIS_AES_CTR */
+	PK11_CIPHER_MAX
+};
+/* Index for the supported digests */
+enum pk11_digest_id {
+	PK11_MD5,
+	PK11_SHA1,
+	PK11_SHA224,
+	PK11_SHA256,
+	PK11_SHA384,
+	PK11_SHA512,
+	PK11_DIGEST_MAX
+};
+typedef struct PK11_CIPHER_st
+	{
+	enum pk11_cipher_id	id;
+	int			nid;
+	int			iv_len;
+	int			min_key_len;
+	int			max_key_len;
+	CK_KEY_TYPE		key_type;
+	CK_MECHANISM_TYPE	mech_type;
+	} PK11_CIPHER;
+typedef struct PK11_DIGEST_st
+	{
+	enum pk11_digest_id	id;
+	int			nid;
+	CK_MECHANISM_TYPE	mech_type;
+	} PK11_DIGEST;
 /* ENGINE level stuff */
 static int pk11_init(ENGINE *e);
 static int pk11_library_init(ENGINE *e);
 static int pk11_finish(ENGINE *e);
 int *local_cipher_nids);
 static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
 CK_SLOT_ID current_slot, int *current_slot_n_digest,
 int *local_digest_nids);
 static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id,
-CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids,
+int *current_slot_n_cipher, int *local_cipher_nids,
-int id);
+PK11_CIPHER *cipher);
 static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
-CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
+int *current_slot_n_digest, int *local_digest_nids,
-int id);
+PK11_DIGEST *digest);
 static int pk11_init_all_locks(void);
 static void pk11_free_all_locks(void);
 #ifdef	SOLARIS_HW_SLOT_SELECTION
 static int check_hw_mechanisms(void);
 static int nid_in_table(int nid, int *nid_table);
 static int hw_aes_instruction_set_present(void);
 #endif	/* SOLARIS_HW_SLOT_SELECTION */
-/* Index for the supported ciphers */
-enum pk11_cipher_id {
-	PK11_DES_CBC,
-	PK11_DES3_CBC,
-	PK11_DES_ECB,
-	PK11_DES3_ECB,
-	PK11_RC4,
-	PK11_AES_128_CBC,
-	PK11_AES_192_CBC,
-	PK11_AES_256_CBC,
-	PK11_AES_128_ECB,
-	PK11_AES_192_ECB,
-	PK11_AES_256_ECB,
-	PK11_BLOWFISH_CBC,
-#ifdef	SOLARIS_AES_CTR
-	PK11_AES_128_CTR,
-	PK11_AES_192_CTR,
-	PK11_AES_256_CTR,
-#endif	/* SOLARIS_AES_CTR */
-	PK11_CIPHER_MAX
-};
-/* Index for the supported digests */
-enum pk11_digest_id {
-	PK11_MD5,
-	PK11_SHA1,
-	PK11_SHA224,
-	PK11_SHA256,
-	PK11_SHA384,
-	PK11_SHA512,
-	PK11_DIGEST_MAX
-};
 #define	TRY_OBJ_DESTROY(sp, obj_hdl, retval, uselock, alg_type)	\
 	{								\
 	if (uselock)							\
 		LOCK_OBJSTORE(alg_type);				\
 static CK_BBOOL pk11_have_rsa	= CK_FALSE;
 static CK_BBOOL pk11_have_dsa	= CK_FALSE;
 static CK_BBOOL pk11_have_dh	= CK_FALSE;
 static CK_BBOOL pk11_have_random = CK_FALSE;
-typedef struct PK11_CIPHER_st
+/*
-	{
+* Static list of ciphers.
-	enum pk11_cipher_id	id;
+* Note, that ciphers array is indexed by member PK11_CIPHER.id,
-	int			nid;
+* thus ciphers[i].id == i
-	int			iv_len;
+* Rows must be kept in sync with enum pk11_cipher_id.
-	int			min_key_len;
+*/
-	int			max_key_len;
-	CK_KEY_TYPE		key_type;
-	CK_MECHANISM_TYPE	mech_type;
-	} PK11_CIPHER;
 static PK11_CIPHER ciphers[] =
 	{
 	{ PK11_DES_CBC,		NID_des_cbc,		8,	 8,   8,
 		CKK_DES,	CKM_DES_CBC, },
 	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,  24,
 	{ PK11_AES_256_CTR,	NID_undef,		16,	32,  32,
 		CKK_AES,	CKM_AES_CTR, },
 #endif	/* SOLARIS_AES_CTR */
 	};
-typedef struct PK11_DIGEST_st
+/*
-	{
+* Static list of digests.
-	enum pk11_digest_id	id;
+* Note, that digests array is indexed by member PK11_DIGEST.id,
-	int			nid;
+* thus digests[i].id == i
-	CK_MECHANISM_TYPE	mech_type;
+* Rows must be kept in sync with enum pk11_digest_id.
-	} PK11_DIGEST;
+*/
 static PK11_DIGEST digests[] =
 	{
 	{PK11_MD5,	NID_md5,	CKM_MD5, },
 	{PK11_SHA1,	NID_sha1,	CKM_SHA_1, },
 	{PK11_SHA224,	NID_sha224,	CKM_SHA224, },
 		{
 		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
 		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
 		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
 			return (0);
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: registered RSA\n", PK11_DBG);
-		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 		}
 #endif	/* OPENSSL_NO_RSA */
 #ifndef OPENSSL_NO_DSA
 	if (pk11_have_dsa == CK_TRUE)
 		{
 		if (!ENGINE_set_DSA(e, PK11_DSA()))
 			return (0);
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: registered DSA\n", PK11_DBG);
-		fprintf(stderr, "%s: registered DSA\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 		}
 #endif	/* OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_DH
 	if (pk11_have_dh == CK_TRUE)
 		{
 		if (!ENGINE_set_DH(e, PK11_DH()))
 			return (0);
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: registered DH\n", PK11_DBG);
-		fprintf(stderr, "%s: registered DH\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 		}
 #endif	/* OPENSSL_NO_DH */
 	if (pk11_have_random)
 		{
 		if (!ENGINE_set_RAND(e, &pk11_random))
 			return (0);
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: registered random\n", PK11_DBG);
-		fprintf(stderr, "%s: registered random\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 		}
 	if (!ENGINE_set_init_function(e, pk11_init) ||
 	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
 	    !ENGINE_set_finish_function(e, pk11_finish) ||
 	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
 	 * Disable digest if C_GetOperationState is not supported since
 	 * this function is required by OpenSSL digest copy function
 	 */
 	if (pFuncList->C_GetOperationState(global_session, NULL, &ul_state_len)
 			== CKR_FUNCTION_NOT_SUPPORTED) {
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: C_GetOperationState() not supported, "
-		fprintf(stderr, "%s: C_GetOperationState() not supported, "
 		    "setting digest_count to 0\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 		digest_count = 0;
 	}
 	pk11_library_initialized = CK_TRUE;
 	pk11_pid = getpid();
 			    PK11_R_INVALID_OPERATION_TYPE);
 			return (0);
 		}
 	sp->session = CK_INVALID_HANDLE;
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
-	fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
-#endif	/* DEBUG_SLOT_SELECTION */
 	rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
 		NULL_PTR, NULL_PTR, &sp->session);
 	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
 		{
 		/*
 		}
 	/* it's not an error if we didn't find any providers */
 	if (ulSlotCount == 0)
 		{
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: no crypto providers found\n", PK11_DBG);
-		fprintf(stderr, "%s: no crypto providers found\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 		return (1);
 		}
 	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
 		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
 		OPENSSL_free(pSlotList);
 		return (0);
 		}
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
-	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
+	DEBUG_SLOT_SEL("%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
-	fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
+	DEBUG_SLOT_SEL("%s: == checking rand slots ==\n", PK11_DBG);
-	fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 	for (i = 0; i < ulSlotCount; i++)
 		{
 		current_slot = pSlotList[i];
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: checking slot: %d\n", PK11_DBG, i);
-	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-#endif	/* DEBUG_SLOT_SELECTION */
 		/* Check if slot has random support. */
 		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
 		if (rv != CKR_OK)
 			continue;
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: token label: %.32s\n", PK11_DBG,
-	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
+		    token_info.label);
-#endif	/* DEBUG_SLOT_SELECTION */
 		if (token_info.flags & CKF_RNG)
 			{
-#ifdef	DEBUG_SLOT_SELECTION
+			DEBUG_SLOT_SEL(
-	fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG);
+			    "%s: this token has CKF_RNG flag\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 			pk11_have_random = CK_TRUE;
 			rand_SLOTID = current_slot;
 			break;
 			}
 		}
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: == checking pubkey slots ==\n", PK11_DBG);
-	fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 	pubkey_SLOTID = pSlotList[0];
 	for (i = 0; i < ulSlotCount; i++)
 		{
 		CK_BBOOL slot_has_rsa = CK_FALSE;
 		CK_BBOOL slot_has_dsa = CK_FALSE;
 		CK_BBOOL slot_has_dh = CK_FALSE;
 		current_slot = pSlotList[i];
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: checking slot: %d\n", PK11_DBG, i);
-	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-#endif	/* DEBUG_SLOT_SELECTION */
 		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
 		if (rv != CKR_OK)
 			continue;
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: token label: %.32s\n", PK11_DBG,
-	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
+		    token_info.label);
-#endif	/* DEBUG_SLOT_SELECTION */
 #ifndef OPENSSL_NO_RSA
 		/*
 		 * Check if this slot is capable of signing and
 		 * verifying with CKM_RSA_PKCS.
 #endif	/* OPENSSL_NO_DH */
 		if (!found_candidate_slot &&
 		    (slot_has_rsa || slot_has_dsa || slot_has_dh))
 			{
-#ifdef	DEBUG_SLOT_SELECTION
+			DEBUG_SLOT_SEL(
-			fprintf(stderr,
 			    "%s: potential slot: %d\n", PK11_DBG, current_slot);
-#endif	/* DEBUG_SLOT_SELECTION */
 			best_slot_sofar = current_slot;
 			pk11_have_rsa = slot_has_rsa;
 			pk11_have_dsa = slot_has_dsa;
 			pk11_have_dh = slot_has_dh;
 			found_candidate_slot = CK_TRUE;
 			/*
 			 * Cache the flags for later use. We might need those if
 			 * RSA keys by reference feature is used.
 			 */
 			pubkey_token_flags = token_info.flags;
-#ifdef	DEBUG_SLOT_SELECTION
+			DEBUG_SLOT_SEL(
-			fprintf(stderr,
 			    "%s: setting found_candidate_slot to CK_TRUE\n",
 			    PK11_DBG);
-			fprintf(stderr,
+			DEBUG_SLOT_SEL("%s: best slot so far: %d\n", PK11_DBG,
-			    "%s: best so far slot: %d\n", PK11_DBG,
 			    best_slot_sofar);
-			fprintf(stderr, "%s: pubkey flags changed to "
+			DEBUG_SLOT_SEL("%s: pubkey flags changed to "
 			    "%lu.\n", PK11_DBG, pubkey_token_flags);
 			}
 		else
 			{
-			fprintf(stderr,
+			DEBUG_SLOT_SEL("%s: no rsa/dsa/dh\n", PK11_DBG);
-			    "%s: no rsa/dsa/dh\n", PK11_DBG);
+			}
-			}
-#else
-			} /* if */
-#endif	/* DEBUG_SLOT_SELECTION */
 		} /* for */
 	if (found_candidate_slot == CK_TRUE)
 		{
 		pubkey_SLOTID = best_slot_sofar;
 		}
 	found_candidate_slot = CK_FALSE;
 	best_slot_sofar = 0;
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: == checking cipher/digest ==\n", PK11_DBG);
-	fprintf(stderr, "%s: == checking cipher/digest ==\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 	SLOTID = pSlotList[0];
 	for (i = 0; i < ulSlotCount; i++)
 		{
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: checking slot: %d\n", PK11_DBG, i);
-	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-#endif	/* DEBUG_SLOT_SELECTION */
 		current_slot = pSlotList[i];
 		current_slot_n_cipher = 0;
 		current_slot_n_digest = 0;
 		(void) memset(local_cipher_nids, 0, sizeof (local_cipher_nids));
 		    &current_slot_n_cipher, local_cipher_nids);
 		pk11_find_digests(pFuncList, current_slot,
 		    &current_slot_n_digest, local_digest_nids);
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: current_slot_n_cipher %d\n", PK11_DBG,
-		fprintf(stderr, "%s: current_slot_n_cipher %d\n", PK11_DBG,
 			current_slot_n_cipher);
-		fprintf(stderr, "%s: current_slot_n_digest %d\n", PK11_DBG,
+		DEBUG_SLOT_SEL("%s: current_slot_n_digest %d\n", PK11_DBG,
 			current_slot_n_digest);
-		fprintf(stderr, "%s: best so far cipher/digest slot: %d\n",
+		DEBUG_SLOT_SEL("%s: best cipher/digest slot so far: %d\n",
 			PK11_DBG, best_slot_sofar);
-#endif	/* DEBUG_SLOT_SELECTION */
 		/*
 		 * If the current slot supports more ciphers/digests than
 		 * the previous best one we change the current best to this one,
 		 * otherwise leave it where it is.
 		 */
 		if ((current_slot_n_cipher + current_slot_n_digest) >
 		    (slot_n_cipher + slot_n_digest))
 			{
-#ifdef	DEBUG_SLOT_SELECTION
+			DEBUG_SLOT_SEL("%s: changing best slot to %d\n",
-			fprintf(stderr,
-				"%s: changing best so far slot to %d\n",
 				PK11_DBG, current_slot);
-#endif	/* DEBUG_SLOT_SELECTION */
 			best_slot_sofar = SLOTID = current_slot;
 			cipher_count = slot_n_cipher = current_slot_n_cipher;
 			digest_count = slot_n_digest = current_slot_n_digest;
 			(void) memcpy(cipher_nids, local_cipher_nids,
 			    sizeof (local_cipher_nids));
 			(void) memcpy(digest_nids, local_digest_nids,
 			    sizeof (local_digest_nids));
 			}
 		}
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
-	fprintf(stderr,
+	DEBUG_SLOT_SEL("%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
-	    "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
+	DEBUG_SLOT_SEL("%s: chosen cipher/digest slot: %d\n", PK11_DBG, SLOTID);
-	fprintf(stderr,
+	DEBUG_SLOT_SEL("%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
-	    "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
+	DEBUG_SLOT_SEL("%s: pk11_have_dsa %d\n", PK11_DBG, pk11_have_dsa);
-	fprintf(stderr,
+	DEBUG_SLOT_SEL("%s: pk11_have_dh %d\n", PK11_DBG, pk11_have_dh);
-	    "%s: chosen cipher/digest slot: %d\n", PK11_DBG, SLOTID);
+	DEBUG_SLOT_SEL("%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
-	fprintf(stderr,
+	DEBUG_SLOT_SEL("%s: cipher_count %d\n", PK11_DBG, cipher_count);
-	    "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
+	DEBUG_SLOT_SEL("%s: digest_count %d\n", PK11_DBG, digest_count);
-	fprintf(stderr,
-	    "%s: pk11_have_dsa %d\n", PK11_DBG, pk11_have_dsa);
-	fprintf(stderr,
-	    "%s: pk11_have_dh %d\n", PK11_DBG, pk11_have_dh);
-	fprintf(stderr,
-	    "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
-	fprintf(stderr,
-	    "%s: cipher_count %d\n", PK11_DBG, cipher_count);
-	fprintf(stderr,
-	    "%s: digest_count %d\n", PK11_DBG, digest_count);
-#endif	/* DEBUG_SLOT_SELECTION */
 	if (pSlotList != NULL)
 		OPENSSL_free(pSlotList);
 #ifdef	SOLARIS_HW_SLOT_SELECTION
 		*any_slot_found = 1;
 	return (1);
 	}
 static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR pflist,
-int slot_id, CK_MECHANISM_TYPE mech, int *current_slot_n_cipher,
+int slot_id, int *current_slot_n_cipher, int *local_cipher_nids,
-int *local_cipher_nids, int id)
+PK11_CIPHER *cipher)
 	{
 	CK_MECHANISM_INFO mech_info;
 	CK_RV rv;
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: checking mech: %x", PK11_DBG, cipher->mech_type);
-	fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech);
+	rv = pflist->C_GetMechanismInfo(slot_id, cipher->mech_type, &mech_info);
-#endif	/* DEBUG_SLOT_SELECTION */
-	rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info);
 	if (rv != CKR_OK)
 		{
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL(" not found\n");
-		fprintf(stderr, " not found\n");
-#endif	/* DEBUG_SLOT_SELECTION */
 		return;
 		}
 	if ((mech_info.flags & CKF_ENCRYPT) &&
 	    (mech_info.flags & CKF_DECRYPT))
 		{
+		if (mech_info.ulMinKeySize > cipher->min_key_len ||
+		    mech_info.ulMaxKeySize < cipher->max_key_len)
+			{
+			DEBUG_SLOT_SEL(" engine key size range <%i-%i> does not"
+			    " match mech range <%lu-%lu>\n",
+			    cipher->min_key_len, cipher->max_key_len,
+			    mech_info.ulMinKeySize, mech_info.ulMaxKeySize);
+			return;
+			}
 #ifdef	SOLARIS_HW_SLOT_SELECTION
-		if (nid_in_table(ciphers[id].nid, hw_cnids))
+		if (nid_in_table(cipher->nid, hw_cnids))
 #endif	/* SOLARIS_HW_SLOT_SELECTION */
 			{
-#ifdef	DEBUG_SLOT_SELECTION
+			DEBUG_SLOT_SEL(" usable\n");
-		fprintf(stderr, " usable\n");
-#endif	/* DEBUG_SLOT_SELECTION */
 			local_cipher_nids[(*current_slot_n_cipher)++] =
-			    ciphers[id].nid;
+			    cipher->nid;
 			}
 #ifdef	SOLARIS_HW_SLOT_SELECTION
-#ifdef	DEBUG_SLOT_SELECTION
 		else
 			{
-		fprintf(stderr, " rejected, software implementation only\n");
+			DEBUG_SLOT_SEL(
-			}
+			    " rejected, software implementation only\n");
-#endif	/* DEBUG_SLOT_SELECTION */
+			}
 #endif	/* SOLARIS_HW_SLOT_SELECTION */
 		}
-#ifdef	DEBUG_SLOT_SELECTION
 	else
 		{
-		fprintf(stderr, " unusable\n");
+		DEBUG_SLOT_SEL(" unusable\n");
 		}
-#endif	/* DEBUG_SLOT_SELECTION */
 	return;
 	}
 static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
-CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
+int *current_slot_n_digest, int *local_digest_nids, PK11_DIGEST *digest)
-int id)
 	{
 	CK_MECHANISM_INFO mech_info;
 	CK_RV rv;
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: checking mech: %x", PK11_DBG, digest->mech_type);
-	fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech);
+	rv = pflist->C_GetMechanismInfo(slot_id, digest->mech_type, &mech_info);
-#endif	/* DEBUG_SLOT_SELECTION */
-	rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info);
 	if (rv != CKR_OK)
 		{
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL(" not found\n");
-		fprintf(stderr, " not found\n");
-#endif	/* DEBUG_SLOT_SELECTION */
 		return;
 		}
 	if (mech_info.flags & CKF_DIGEST)
 		{
 #ifdef	SOLARIS_HW_SLOT_SELECTION
-		if (nid_in_table(digests[id].nid, hw_dnids))
+		if (nid_in_table(digest->nid, hw_dnids))
 #endif	/* SOLARIS_HW_SLOT_SELECTION */
 			{
-#ifdef	DEBUG_SLOT_SELECTION
+			DEBUG_SLOT_SEL(" usable\n");
-		fprintf(stderr, " usable\n");
-#endif	/* DEBUG_SLOT_SELECTION */
 			local_digest_nids[(*current_slot_n_digest)++] =
-			    digests[id].nid;
+			    digest->nid;
 			}
 #ifdef	SOLARIS_HW_SLOT_SELECTION
-#ifdef	DEBUG_SLOT_SELECTION
 		else
 			{
-		fprintf(stderr, " rejected, software implementation only\n");
+			DEBUG_SLOT_SEL(
-			}
+			    " rejected, software implementation only\n");
-#endif	/* DEBUG_SLOT_SELECTION */
+			}
 #endif	/* SOLARIS_HW_SLOT_SELECTION */
 		}
-#ifdef	DEBUG_SLOT_SELECTION
 	else
 		{
-		fprintf(stderr, " unusable\n");
+		DEBUG_SLOT_SEL(" unusable\n");
 		}
-#endif	/* DEBUG_SLOT_SELECTION */
 	return;
 	}
 #ifdef	SOLARIS_AES_CTR
 	int i;
 	for (i = 0; i < PK11_CIPHER_MAX; ++i)
 		{
 		pk11_get_symmetric_cipher(pflist, current_slot,
-		    ciphers[i].mech_type, current_slot_n_cipher,
+		    current_slot_n_cipher, local_cipher_nids, &ciphers[i]);
-		    local_cipher_nids, ciphers[i].id);
 		}
 	}
 /* Find what digest algorithms this slot supports. */
 static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
 	{
 	int i;
 	for (i = 0; i < PK11_DIGEST_MAX; ++i)
 		{
-		pk11_get_digest(pflist, current_slot, digests[i].mech_type,
+		pk11_get_digest(pflist, current_slot, current_slot_n_digest,
-		    current_slot_n_digest, local_digest_nids, digests[i].id);
+		    local_digest_nids, &digests[i]);
 		}
 	}
 #ifdef	SOLARIS_HW_SLOT_SELECTION
 /*
 	CK_FUNCTION_LIST_PTR pflist = NULL;
 	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
 	int *tmp_hw_cnids = NULL, *tmp_hw_dnids = NULL;
 	int hw_ctable_size, hw_dtable_size;
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: SOLARIS_HW_SLOT_SELECTION code running\n",
-	fprintf(stderr, "%s: SOLARIS_HW_SLOT_SELECTION code running\n",
 	    PK11_DBG);
-#endif
 	/*
 	 * Use RTLD_GROUP to limit the pkcs11_kernel provider to its own
 	 * symbols, which prevents it from mistakenly accessing C_* functions
 	 * from the top-level PKCS#11 library.
 	 */
 		}
 	/* no slots, set the hw mechanism tables as empty */
 	if (ulSlotCount == 0)
 		{
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: no hardware mechanisms found\n", PK11_DBG);
-	fprintf(stderr, "%s: no hardware mechanisms found\n", PK11_DBG);
-#endif
 		hw_cnids = OPENSSL_malloc(sizeof (int));
 		hw_dnids = OPENSSL_malloc(sizeof (int));
 		if (hw_cnids == NULL || hw_dnids == NULL)
 			{
 			PK11err(PK11_F_CHECK_HW_MECHANISMS,
 	for (i = 0; i < hw_ctable_size; ++i)
 		tmp_hw_cnids[i] = NID_undef;
 	for (i = 0; i < hw_dtable_size; ++i)
 		tmp_hw_dnids[i] = NID_undef;
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: provider: %s\n", PK11_DBG, pkcs11_kernel);
-	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, pkcs11_kernel);
+	DEBUG_SLOT_SEL("%s: found %d hardware slots\n", PK11_DBG, ulSlotCount);
-	fprintf(stderr, "%s: found %d hardware slots\n", PK11_DBG, ulSlotCount);
+	DEBUG_SLOT_SEL("%s: now looking for mechs supported in hw\n",
-	fprintf(stderr, "%s: now looking for mechs supported in hw\n",
 	    PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 	for (i = 0; i < ulSlotCount; i++)
 		{
 		if (pflist->C_GetTokenInfo(pSlotList[i], &token_info) != CKR_OK)
 			continue;
-#ifdef	DEBUG_SLOT_SELECTION
+		DEBUG_SLOT_SEL("%s: token label: %.32s\n", PK11_DBG,
-	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
+		    token_info.label);
-#endif	/* DEBUG_SLOT_SELECTION */
 		/*
 		 * We are filling the hw mech tables here. Global tables are
 		 * still NULL so all mechanisms are put into tmp tables.
 		 */
 	OPENSSL_free(pSlotList);
 	(void) dlclose(handle);
 	hw_cnids = tmp_hw_cnids;
 	hw_dnids = tmp_hw_dnids;
-#ifdef	DEBUG_SLOT_SELECTION
+	DEBUG_SLOT_SEL("%s: hw mechs check complete\n", PK11_DBG);
-	fprintf(stderr, "%s: hw mechs check complete\n", PK11_DBG);
-#endif	/* DEBUG_SLOT_SELECTION */
 	return (1);
 err:
 	if (pSlotList != NULL)
 		OPENSSL_free(pSlotList);
 	/* The table is never full, there is always at least one NID_undef. */
 	while (nid_table[i] != NID_undef)
 		{
 		if (nid_table[i++] == nid)
 			{
-#ifdef	DEBUG_SLOT_SELECTION
+			DEBUG_SLOT_SEL(" (NID %d in hw table, idx %d)", nid, i);
-	fprintf(stderr, " (NID %d in hw table, idx %d)", nid, i);
-#endif	/* DEBUG_SLOT_SELECTION */
 			return (1);
 			}
 		}
 	return (0);

changeset 914	39cfb488e7d8
parent 866	c6e2467e422e
child 939	75af6f4e07b1